Fix a potential ROOT-exploit in NTPD.

PR: 26358 Reviewed by: dima
svn path=/head/; revision=75202
2025-01-12 14:29:28 +00:00 · 2001-04-04 23:07:22 +00:00 · 2001-04-04 23:07:22 +00:00 · 0cad4cb4e6 · 2020-12-20 02:59:44 +00:00
commit 0cad4cb4e6
parent 4464fee503
1 changed files with 18 additions and 1 deletions
--- a/contrib/ntp/ntpd/ntp_control.c
+++ b/contrib/ntp/ntpd/ntp_control.c
@ -1,6 +1,11 @@
 /*
 * ntp_control.c - respond to control messages and send async traps
 */
+
+/*
+ * $FreeBSD$
+ */
+
 #ifdef HAVE_CONFIG_H
 #include <config.h>
 #endif
@ -1649,8 +1654,20 @@ ctl_getitem(
 					tp = buf;
 					while (cp < reqend && isspace((int)*cp))
 						cp++;
-					while (cp < reqend && *cp != ',')
+					while (cp < reqend && *cp != ',') {
 						*tp++ = *cp++;
+						if (tp > buf + sizeof(buf)) {
+							 msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n", 
+	(ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff,
+	(ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff,
+	(ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff,
+	(ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff,
+	ntohs(rmt_addr->sin_port)
+);
+
+							return (0);
+						}
+					}
 					if (cp < reqend)
 						cp++;
 					*tp = '\0';